What should journalists know about BlackBerry fights?

The discussions between Research In Motion, maker
of the BlackBerry, and governments such as the United Arab Emirates, Saudi
Arabia, and India continue to hit the headlines. In each case, disagreements center
on providing customer communications to security and law enforcement services.
The rumblings from these nations over monitoring powers aren't just limited to
RIM: India has announced its intention to put the same
pressure on Google (for Gmail), and Skype (for its IM and telephony services).

All of these devices and services have a reputation for
security, and are therefore commonly used by journalists concerned they or
their sources could be at risk of government or criminal surveillance. What
should journalists working under these conditions make of these new
developments? Will their online security be diminished?

Let's take RIM's BlackBerry, as there have been persistent reports
that the company has faced pressure to placate security services in India and
Saudi Arabia. Can journalists still depend on it for secure communications?

Judging from all the evidence, the answer depends on where
you obtained your BlackBerry. BlackBerrys are sold either directly to
individual consumers by mobile companies, or provisioned by corporate (or
government) IT departments as the mobile extension of their own, private,
messaging systems.

If you have been issued a BlackBerry by your employer, or
use it to access company mail via what RIM calls a BlackBerry Enterprise Server (BES), the
security of your device is in the hands of your employer, not RIM. Companies
are worried about snooping, too, so RIM has purposefully secured its enterprise
offerings so that not even RIM can spy on their traffic. As a side effect, this
means communication is almost certainly secure from government interception,
even if those governments require RIM to keep its servers in their control. If
you feel you are in a vulnerable position, and use a corporate BlackBerry,
speak to your IT department about its security.

If you have a consumer BlackBerry bought from a mobile phone
company, you do not have the protection of RIM's corporate security system. As CPJ has noted previously, this means countries
like the UAE and India always had the potential to intercept your
communications but may not have had the technical knowledge to exploit that
potential.

We assume that this is no longer the case. Locating RIM
servers in these countries (as many of them have demanded) would give the local
authorities the ability to straightforwardly intercept all but SSL/TLS (https)
Web traffic, and would allow local law enforcement to obtain access to stored e-mail.
With a better understanding of RIM's infrastructure (obtained either from RIM
itself or through independent research), these nations and others could decode
BlackBerry traffic passing over their mobile networks even without local RIM
servers.

One common service used by both enterprise and consumer
BlackBerry owners is "PIN-to-PIN" messaging, the feature that allows BlackBerry
owners to send free messages to any other BlackBerry user. PIN-to-PIN has the
strongest reputation for privacy. Unfortunately, while it is certainly harder
to intercept than SMS (text) messages, the encoding system that RIM uses to
send PIN messages can theoretically be decoded.

In summary: if you're a journalist using an enterprise
BlackBerry given to you by your employer for work purposes, you are probably
well-protected from casual interception (although you should never depend on
the inviolability of your communication systems). If you are using a consumer
BlackBerry, do not presume to be any better protected from surveillance than
someone using an ordinary mobile phone.

No anti-surveillance system offers perfect protection. Even
enterprise BlackBerrys could be compromised through the installation of spyware
on the phone (as the UAE attempted in 2009) or on the corporate
servers. The encryption systems that protect Skype and Gmail from local
interception are potentially vulnerable to sophisticated attacks such as fake
versions of Skype with backdoors or fake websites that can
convince
browsers they are the real Gmail. The good news is that the majority
of these techniques would be detectable, if not obvious. With the right
software and expertise, they can be spotted by their victim. And their use "in
the wild" would, in itself, be a major news story.

Governments planning to use these attacks on journalists
should know that their spying can be spotted and exposed.

San Francisco-based CPJ Internet Advocacy Coordinator Danny O’Brien has worked globally as a journalist and activist covering technology and digital rights. Follow him on Twitter @danny_at_cpj.